Request - JavaScript Compatible Number Canonicalization

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Request - JavaScript Compatible Number Canonicalization

Anders Rundgren
This may not sound like a security related issue but it actually is...

Although entirely uncoordinated, there are several "standards" in the workings based on creating JSON-based clear text alternatives to IETF's JWS signature scheme (which encodes data in Base64Url).

All of these schemes share a common and quite intricate interoperability issue, namely serialization of the JSON "Number" type.

Fortunately, ECMA who defines JavaScript have defined a strict format which is already implemented in Node.js (V8), Chrome, Firefox, and Safari.

I would therefore propose that the Double object (Number are always stored as double) is augmented with an additional method like toJsonNotation().

I'm currently relying on code that was featured in a previous version of JDK (Rhino):
https://github.com/cyberphone/openkeystore/blob/master/library/src/org/webpki/json/JSONObjectWriter.java#L188
Newer versions of JDK use another JS engine which produces non-compliant strings :-(

WDYT?

Anders
https://cyberphone.github.io/doc/security/jsonsignatures.html
Loading...